Because NetKey/ IDKey only proves that its owner is allowed to use a role with the relevant certificate, the certificate for the role must be installed or be accessible on all computer systems on which the person is to exercise their role. The smartcard – the NetKey/ IDKey – is only required in order to authorize actions in conjunction with the certificate.

Because of NetKey/ IDKey's two-factor security, it must be carried around for mobile use and therefore remains under its owner's control.